Hello, The KQL you need would be this, its part of the SecurityAlert NOT the SecurityIncident - which may help you find the api?
Specifically the value of Search_Query_Results_Overall_Count_ matches "Events"
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_